| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b17dde9a-6519-15be-07c6-218b1a1ef416@kernel.org>
Date: Mon, 9 May 2022 12:41:17 +0200
From: Jiri Slaby <jirislaby@...nel.org>
To: "D. Starke" <daniel.starke@...mens.com>,
linux-serial@...r.kernel.org, gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/3] tty: n_gsm: fix buffer over-read in gsm_dlci_data()
On 04. 05. 22, 10:17, D. Starke wrote:
> From: Daniel Starke <daniel.starke@...mens.com>
>
> 'len' is decreased after each octet that has its EA bit set to 0, which
> means that the value is encoded with additional octets. However, the final
> octet does not decreases 'len' which results in 'len' being one byte too
> long. A buffer over-read may occur in tty_insert_flip_string() as it tries
> to read one byte more than the passed content size of 'data'.
> Decrease 'len' also for the final octet which has the EA bit set to 1 to
> write the correct number of bytes from the internal receive buffer to the
> virtual tty.
>
> Fixes: 2e124b4a390c ("TTY: switch tty_flip_buffer_push")
That commit barely introduced the problem.
> Cc: stable@...r.kernel.org
> Signed-off-by: Daniel Starke <daniel.starke@...mens.com>
> ---
> drivers/tty/n_gsm.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
> index a38b922bcbc1..9b0b435cf26e 100644
> --- a/drivers/tty/n_gsm.c
> +++ b/drivers/tty/n_gsm.c
> @@ -1658,6 +1658,7 @@ static void gsm_dlci_data(struct gsm_dlci *dlci, const u8 *data, int clen)
> if (len == 0)
> return;
> }
> + len--;
> slen++;
> tty = tty_port_tty_get(port);
> if (tty) {
--
js
suse labs
Powered by blists - more mailing lists